Normally when we think of security, computers and smartphones come to mind, but what about whole buildings? During Black Hat Sessions 2018 Elisa Costante, Head of Research at SecurityMatters gave a presentation about smart building automation and how (in)secure it can be. Below you will find a brief report by Michael Anastasakis, security analyst at Secura, about the presentations by Elisa Costante and Nirvana Meratnia in de IoT Security track. Here you will find the link to all brief reports and recordings.

A smart building is a complex ecosystem where devices such as cameras, alarms and access control mechanisms integrate with each other, share information over the network and act in a coordinated way. Elisa highlights the fact that smart buildings and smart cities are where we are heading especially in the Netherlands.

Smart Building Automation

Bijlmer Arena itself is a smart building where the rooftop has solar panels that provide energy to the stadium as well as the surrounding buildings. However, hackers need a motive, a final goal to target such buildings. Most of the times such buildings are hospitals, data centers or airports which makes them valuable targets for a hacker. Moreover, at least 60% of them have systems that are extremely old, known as legacy systems, that lack basic protection mechanisms such as authentication or encryption.

Finally, as beneficial as it can be, the high connectivity of entities in a smart building also leads to more potential vulnerabilities. Combine these three key points and you have got yourself the perfect target for an attacker. To protect such systems, Elisa presents a few scenarios and mitigation techniques such as monitoring the IoT device network traffic and behavior, implement encryption techniques and detect weak device configuration. To persuade all the technical people in the crowd, Elisa demonstrates a practical MitM attack executed by her team on smart building cameras. The hackers intercept the network traffic between an office camera and the control office and replace the actual footage with their own. As a result, the hackers can freely roam the office without raising any alarms.

Impact of IoT devices on user Privacy

Furthermore, Nirvana Meratnia from the University of Twente dove into the impact IoT devices have on user privacy. Nirvana highlights the fact that the combination of information retrieved by IoT devices can lead to a rich dataset about users. In the hands of a hacker, this dataset can be extremely useful to track or identify individuals. Nirvana gives a practical example of SSIDs, what type of information they contain and how they can be exploited by a malicious user. Needless to say that such results pose a red flag to user privacy. To tackle the problem, the government provided the solution in the form of the GDPR. Everyone in security knows GDPR at least by name. However, according to Nirvana, the GDPR regulation is complex and hard to understand. More importantly, GDPR is difficult to translate into a practical version that can be utilized in the industry.

IoT is an exciting sector with a lot to offer but at the same time a sector with a lack of standards and guidelines that will protect user privacy, according to Nirvana Meratnia